iEntry 10th Anniversary RSS Archive

IT Management Begins With Security
SecurityProNews > Insider Reports > Insider > Gmail Rings In New Year With XSS
Search:
[ insider_reports_insider ]

Gmail Rings In New Year With XSS



David Utter
Staff Writer
2007-01-02

SecurityProNews: Insider Reports Insider Reports RSS Feed


Users of Google's Gmail service should avoid staying logged in to it until a cross-site scripting issue can be completely fixed.

Gmail Rings In New Year With XSS
Gmail Rings In New Year With XSS

Gmail staggered through the end of 2006 like a punch-drunk boxer after the 15th round. The service suffered a couple of serious problems in recent weeks, and they don't encourage confidence in Google's various initiatives that require trusting them with all of your information.

In mid-December, a situation arose where a few dozen Gmail accounts were cleaned out of all their messages and contacts. News of that, and Google's response, only came to light when TechCrunch spotted it on a Gmail support forum.

A Google representative responded to TechCrunch's Michael Arrington to confirm the losses had taken place. She did not elaborate on a cause, though suggestions of either an exploit of a flaw in Firefox 2.0 or the possibility that someone maliciously used passwords for logins on a website to get in to Gmail accounts using the same password have been raised.

Then as the New Year arrived, Garett Rogers described how one of his 'Googling Google' readers was able to easily create a cross-site scripting crack to display a Gmail account's contacts via the JSON API Rogers had described in a previous post.

Rogers later wrote Google appeared to have the problem partially corrected. Since the XSS issue has not been completely fixed, he suggested people should avoid staying logged in to Gmail until it is.

If the Gmail deletion issue is due to people using the same password on Gmail and other sites, with the result being a pilfered password opening a Gmail account too, it places a responsibility on people not to use the same password on multiple websites.

That's going to be an issue for the many people who will not want to have a massive list of passwords to memorize or otherwise keep in a list. Users shouldn't have to worry about this in the first place; database-driven websites should be hashing passwords in their indexes rather than keeping them in plaintext anyway.

---
Tag:

Add to Del.icio.us | Digg | Reddit | Furl

Get all the updates -




About the Author:
David Utter is a business and technology writer for SecurityProNews and WebProNews.

More insider_reports_insider Articles

SecurityProNews: Insider Reports Insider Reports RSS Feed

Get Your Site Submitted for Free in the World's Largest B2B Directory!

Email Address:
* URL:
*
*Indicates Mandatory Field

Terms & Conditions

iEntry Featured Services: Jayde Member Services | Forums | Freeware | Advertise with Us

Contact Us | Advertise | Newsletter Archive | Sitemap | Submit an Article | News Feeds
SecurityProNews is an iEntry, Inc.® publication - 1998-2009 All Rights Reserved | Privacy Policy and Legal		 Join the WebProWorld Forums: Click Here
Virus Warnings

Subscribe to
SecurityProNews FREE!


[ more newsletters ]

Featured On:
article resources
Search Articles:
[advanced search]

WebProWorld.com
Get in-touch with industry experts and leaders
Post your site for review by expert and peers
Ask Security, IT, Development and Design questions

Free Membership: Join Now!

Visit WebProWorld.com

Titan Quest Forum
The #1 Titan Quest forum
Halo 3 Forum
The best Halo, Halo 2, Halo 3 forum
Nintendo Wii
Nintendo Wii news and views
Mac Software
The best in OS X freeware
Graphics Forum
Your source for graphic tutorials
SecurityProNews.com | Breaking eBusiness News Get Your IT Questions Answered - Click Here SecurityProNews News Feeds